FreeRadius - Cisco 7204 - L2TP Tunnel
Hi all I'm having major issues with getting Freeradius to authenticate from a Cisco 7204 that is terminating an L2TP tunnel and sending radius auth to a FreeRadius server. Using a default install of Freeradius and configuring it to accept auth requests from the Cisco in clients.conf it just fails on authentication. Even though the username and password in the users files is correct, proven using radtest.
From radius -X without changing any config options it gives me Login is incorrect sending a plain text password.
No matter what I change in the config files it always fails. I've tried adding Auth-Type's to the users entry such as Local and this gives me things like no password is configured for the user. Removing the "Default Auth-Type" from the top of the users file and setting an Auth-Type in the users entry gives me no Auth-Type set. Really not sure where the error is. So I guess my question is does anyone use FreeRadius to authenticate from a Cisco 7200 series with success? If so is it possible to supply: - The virtual template section that specifies the ppp authentication? - A copy of the radius.conf file? - The users file with an example users entry that works. Then I can see if I've got it all setup correctly. This used to work fine when I was using a Linux server to terminate the L2TP tunnel, I used L2TPNS to do the termination and it sent radius authentication to the FreeRadius server. Thanks Tony -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
TS wrote:
So I guess my question is does anyone use FreeRadius to authenticate from a Cisco 7200 series with success?
Almost certainly.
If so is it possible to supply:
I don't know about the 7204 but if you post the output of "radiusd -X" and the users file, someone can probably spot the problem. Since you're terminating L2TP and radtest works, I'll take a guess that possibly the L2TP is using CHAP, whereas radtest sends PAP requests.
Here's hoping.... The radius -X debug is: ####################### Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/radiusd/radiusd.pid" main: bind_address = 192.168.0.3 IP address [192.168.0.3] main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 192.168.0.3:1645 Listening on accounting 192.168.0.3:1646 Listening on proxy 192.168.0.3:1647 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.250:1645, id=168, length=97 Framed-Protocol = PPP User-Name = "23877@local.realm.com" User-Password = "mysecret" NAS-Port-Type = Virtual NAS-Port = 726 Service-Type = Framed-User NAS-IP-Address = 192.168.0.250 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: Looking up realm "local.realm.com" for User-Name = "23877@local.realm.com" rlm_realm: No such realm " local.realm.com" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 6 users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module "files" returns ok for request 6 modcall: group authorize returns ok for request 6 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [23877@local.realm.com/mysecret] (from client cisco7204 port 726) Delaying request 6 for 1 seconds Finished request 6 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 168 to 192.168.0.250:1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 168 with timestamp 44379f6f Nothing to do. Sleeping until we see a request. ############# My users file (without all the commented out lines) ########## # #DEFAULT Auth-Type = System # Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP 23877@local.realm.com Auth-Type = Local, User-Password == "mysecret" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 10.0.0.1, Framed-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP ######## And just for good measure here is the Cisco debug: ###### *Apr 8 12:03:50.473 BST: AAA/BIND(000002E1): Bind i/f Virtual-Template3 *Apr 8 12:03:50.473 BST: AAA/AUTHEN/PPP (000002E1): Pick method list 'default' *Apr 8 12:03:50.473 BST: RADIUS/ENCODE(000002E1):Orig. component type = VPDN *Apr 8 12:03:50.473 BST: RADIUS: AAA Unsupported Attr: interface [153] 15 *Apr 8 12:03:50.473 BST: RADIUS: 55 6E 69 71 2D 53 65 73 73 2D 49 44 37 [Uniq-Sess-ID7] *Apr 8 12:03:50.477 BST: RADIUS(000002E1): Storing nasport 720 in rad_db *Apr 8 12:03:50.477 BST: RADIUS(000002E1): Config NAS IP: 0.0.0.0 *Apr 8 12:03:50.477 BST: RADIUS/ENCODE(000002E1): acct_session_id: 1168 *Apr 8 12:03:50.477 BST: RADIUS(000002E1): sending *Apr 8 12:03:50.477 BST: RADIUS/ENCODE: Best Local IP-Address 192.168.0.250 for Radius-Server 192.168.0.3 *Apr 8 12:03:50.477 BST: RADIUS(000002E1): Send Access-Request to 192.168.0.3:1645 id 1645/162, len 97 *Apr 8 12:03:50.477 BST: RADIUS: authenticator 76 7D 09 92 23 C7 65 B1 - 6C D7 3C E1 10 6B 56 CF *Apr 8 12:03:50.477 BST: RADIUS: Framed-Protocol [7] 6 PPP [1] *Apr 8 12:03:50.477 BST: RADIUS: User-Name [1] 29 "23877@local.realm.com" *Apr 8 12:03:50.477 BST: RADIUS: User-Password [2] 18 * *Apr 8 12:03:50.477 BST: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Apr 8 12:03:50.477 BST: RADIUS: NAS-Port [5] 6 720 *Apr 8 12:03:50.477 BST: RADIUS: Service-Type [6] 6 Framed [2] *Apr 8 12:03:50.477 BST: RADIUS: NAS-IP-Address [4] 6 192.168.0.250 *Apr 8 12:03:52.513 BST: RADIUS: Received from id 1645/162 192.168.0.3:1645, Access-Reject, len 20 *Apr 8 12:03:52.513 BST: RADIUS: authenticator DD E8 59 9D 6D 1B 13 29 - C2 25 B3 6D E1 38 64 8E *Apr 8 12:03:52.513 BST: RADIUS(000002E1): Received from id 1645/162 ########## Thanks Tony -----Original Message----- From: freeradius-users-bounces+tony=thewordzone.co.uk@lists.freeradius.org [mailto:freeradius-users-bounces+tony=thewordzone.co.uk@lists.freeradius.org ] On Behalf Of Phil Mayers Sent: 08 April 2006 12:07 To: FreeRadius users mailing list Subject: Re: FreeRadius - Cisco 7204 - L2TP Tunnel TS wrote:
So I guess my question is does anyone use FreeRadius to authenticate from a Cisco 7200 series with success?
Almost certainly.
If so is it possible to supply:
I don't know about the 7204 but if you post the output of "radiusd -X" and the users file, someone can probably spot the problem. Since you're terminating L2TP and radtest works, I'll take a guess that possibly the L2TP is using CHAP, whereas radtest sends PAP requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Ok, I see the problem:
users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module "files" returns ok for request 6
My users file (without all the commented out lines)
DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes
DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP
There's no "Fall-Through = Yes" on this entry (the default entries in the users file in current release are a bit historic and not especially helpful to be in there uncommented by default, but compatibility concerns I imagine block their removal). So processing stops here, and never reaches the desired entry:
23877@local.realm.com Auth-Type = Local, User-Password == "mysecret" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 10.0.0.1, Framed-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP
So, you can either add a Fall-Though = Yes to the PPP entry, or delete it (since you've got the attributes defined on the users entry anyway you don't need it, or the Framed-Protocol match further up). Personally I tend to do: cp users users.example
users
...and start with a clean slate, reading the examples from the old file. FYI the users file in CVS has by default none of these semi-historic uncommented examples.
Hi Phil Good call. Thanks for that. Works a treat now. Tony -----Original Message----- From: freeradius-users-bounces+tony=thewordzone.co.uk@lists.freeradius.org [mailto:freeradius-users-bounces+tony=thewordzone.co.uk@lists.freeradius.org ] On Behalf Of Phil Mayers Sent: 08 April 2006 13:17 To: FreeRadius users mailing list Subject: Re: FreeRadius - Cisco 7204 - L2TP Tunnel Ok, I see the problem:
users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module "files" returns ok for request 6
My users file (without all the commented out lines)
DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes
DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP
There's no "Fall-Through = Yes" on this entry (the default entries in the users file in current release are a bit historic and not especially helpful to be in there uncommented by default, but compatibility concerns I imagine block their removal). So processing stops here, and never reaches the desired entry:
23877@local.realm.com Auth-Type = Local, User-Password == "mysecret" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 10.0.0.1, Framed-Netmask = 255.255.255.255, Framed-Compression = Van-Jacobsen-TCP-IP
So, you can either add a Fall-Though = Yes to the PPP entry, or delete it (since you've got the attributes defined on the users entry anyway you don't need it, or the Framed-Protocol match further up). Personally I tend to do: cp users users.example
users
...and start with a clean slate, reading the examples from the old file. FYI the users file in CVS has by default none of these semi-historic uncommented examples. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
participants (2)
-
Phil Mayers -
TS